International Journal of Computer Networks & Communications (IJCNC)




Minh Nguyen Hieu1, Bac Do Thi2, Canh Hoang Ngoc3, Manh Cong Tran4, Phan Duong Phuc5 and Khoa Nguyen Tuan6

1Institute of Cryptographic Science and Technology, Hanoi, Vietnam
2Thai Nguyen University of Information and Communication Technology, Thainguyen, Vietnam
3Thuongmai University, Hanoi, Vietnam
4Le Quy Don Technical University, Hanoi, Vietnam
5Academy of Cryptography Techniques, Hanoi, Vietnam
6Research Laboratories of Saigon High-Tech Park, Ho Chi Minh City, Vietnam


The article proposes two different designs for the new block cipher algorithm of 128-bit block size and key lengths of 128-bit or 192-bit or 256-bit. The basic cipher round is designed in a parallel model to help improve the encryption/decryption speed. The differences of this design compared to the previous one developed on Switchable Data Dependent Operations (SDDOs) lies in the hybrid of the controlled elements (CEs) in the structure. Each design has a specific strength that makes the selection more compatible with the objectives of each particular application. The designs all meet the high security standards and possess the ability to fight off the attacks currently known. The designs match the limited environment of the wireless network by integrating effectively when implemented on Field-programmable gate array (FPGA) with both iterative and pipeline architectures for high effective integration.


Controlled substitution–permutation network (CSPN), Switchable Data Dependent Operation (SDDO), Block cipher, Hybrid model, Field-programmable gate array (FPGA).


A prior requirement for the cryptographic algorithm applied/employed to secure information in different wireless networks today is to save resources, low calculation costs, and low power consumption. This is a major requirement in wireless networks in general [1, 31]. Thus, the security designs are facing a critical requirementwhich is to secure by cipher for the increasingly complex wireless networks but must take into account more limits [2, 32]. The wireless devices working with battery power will be constrained by the environment in which they work and the resources with which they dealt. This makes the security designers unable to consider the security issues only from the property aspect. One of the most important current challenges is the gap between energy needs and the performance requirements for the handling of the security issues of [1, 2, 31, 32]. The processing gap which is the security system architecture of the current wireless network does not meet the required calculation of the security processing. The battery gap has emphasized that the cost for the current energy consumption to support the security problems of wireless networks working on batteries is very great. In addition to flexibility, it also requires the

mobile wireless networks to work on un-sync standards and security protocols. Tamper resistance has emphasized that the mobile wireless networks are on the face of the increasing number of attacks from the physical attacks to the software attacks. Assurance gaps regarding the reliability make the security systems demands continue to function reliably despite the attacks from the smart opponents intentionally looking forunexpected errors [2]. However, the level of security is not the only important issue, an efficient encryption algorithm is an algorithm that should occupy less storage capacity, optimal use of hardware resources and consume less power. The cost of encryption and decryption depends on several parameters: the size of plaintext and ciphertext respectively; the complexity of the algorithm, cipher mode selected; and the process of the key generator. In particular, the key length is an important factor, and the longer the key, the longer the cipher. Similarly, the cost of encryption is dependent and the cost needs to perform decryption.

To meet the design requirements, one of the known trends, meeting the construction of a high- speed cipher algorithm for wireless communication networks is the use of Data Dependent Permutations (DDPs) [3]. They are built based on permutation networks constructed from primitive operation P2/1 proposed and used as a primary element to design of various block  ciphers like CIKS-1[4], CIKS-128 [5], Spectr-H64 [6], Cobra-S128 [7], Cobra-H64 [7], Cobra- H128 [7]. The ciphers based on DDP, however, have a potential weakness for the attacks based on linear cryptanalysis and differential cryptanalysis, this has been demonstrated in studies [8- 12].

To overcome the weakness of the cipher algorithms based on DDP, some cipher algorithms based on the Data Dependent Operations (DDOs), they are built from controlled elements (CEs) of F2/1or F2/2 recommended in some studies DDO-64 [13], DDO-128 [13], Eagle-64 [14], Eagle-128 [14], XO-64 [15], KT-64 [16]. These algorithms have proven to be suitable for the implementation of cheap hardware and high speed. However, these algorithms use only a simple key schedule; they can be related-key attacks (RKE) [21-25].

Thus, a new method against the related-key attacks is to develop algorithms based on the Switchable Data Dependent Operations (SDDO). SDDO is reviewed as the newest cipher operation, oriented to the design of a fast cipher algorithms suited to applications in the limited environment. SDDO is firstly suggested in Hawk-64 [17, 18]. Algorithms of MD-64 [19], BMD- 128 [20] have also given and demonstrated their strengths in terms of security and integrated efficiency on the given hardware.

Integral efficacy advantages of SDDO combined with the CSPN design model in hybrid [26], a new block cipher algorithm named BM123-128 is proposed in this article. This is the block cipher algorithm of 128-bit block size with key lengths of 128-bit or 192-bit or 256-bit.

The algorithm is developed on various SDDOs with F32/256 (V,e) andF32/128 (V,e) in which:
F32/256 (V,e) hybrid CSPN structure built from two CEs are F2/2 and F’2/2.
F32/128 (V,e) built according to a uniform CSPN structure from CE F2/1(using CE Q2/1 [18]).

This is the special feature to create new designs. This solution helps each design have its own strength. Further advantages of the algorithm is it is designed according to the model of parallel processing for basic cipher round in order to enhance the encryption/decryption speed. At the same time, the algorithm that uses simple key schedule, but still ensures security against the random cryptanalysis. The process of encryption/decryption using the same structure with the use of switchable operation is set between the two modes of encryption and decryption. The results of

integral efficacy evaluation of algorithms on hardware obtained high integration effect. This shows an algorithm that meets the design requirements.

The article is structured as follows: Following the introduction, section 2 will present a new block cipher algorithm: BM123-128 with two different designs; section 3 presents the security estimation, the results of implementation on FPGA and section 4concludes on matters closely related to the proposed algorithm.


BM123-128 is an algorithm which is developed in the block cipher mode with a block size of 128-bit, with 8 transformation rounds and secret key able to be selected as 128-bit or 192-bit or 256-bit. BM123-128 is designed in a parallel model for basic cipher round. This model helps to make encryption and decryption faster than serial models or a combination of serial and parallel models. The algorithm has used various SDDOs (F(V,e))in each particular case. SDDO is built based on hybrid or uniform CSPNs, then adds operation to Switchable Controlled Operation (SCO). The use of SDDO has been suggested earlier in several studies and considered as an element helping supporting the design of block cipher by using a simple key schedule. This helps the algorithm eliminate weak key that has just created a higher performance when deploying the algorithm on FPGA by reducing the cost of resources.

The process of encryption/decryption of BM123-128 is described as follows: Permutations in Figure 1(a1) and Figure 2(a2):

I=(1)(2,34)(3)(4,36)(5)(6,38)(7)(8,40)(9)(10,42)(11)(12,44)(13)(14,46)(15)(16,48)(17)(18,50)(19)(20,52)(21)(22,54)(23)(24,56)(25)(26,58)(27)(28,60)(29)(30,62)(31)(32,64)(33)(34,2)(35)(36,4)(37)(38,6)(39)(40,8)(41)(42,10)(43) (44,12)(45)(46,14)(47)(48,16)(49)(50,18)(51)(52,20) (53)(55)(56,24)(57)(58,26)(59)(60,28)(61)(62,30)(63)(64,32).


I‘= (1)(2,5)(3,9)(4,13)(5,2)(6)(7,10)(8,14)(9,3)(10,7)(11)(12,15)(13,4)(14,8)(15,12)(16)

The design model of BM123-128 algorithm is shown in Figure 1, Figure 2 and Figure 3. Crypt(e)transformed function is detail described through the basic cipher round based on Figure 1(a1) and Figure 2(a2). The algorithm is developed with 2 different designs as in Figure 1(a1) and Figure 2(a2).

Figure 1. BM123-128 algorithm
(a1) basic cipher round (Crypt(e)) of case 1,
(b1) F’4/8, (c1) F32/128, (d1) F’16/64, (e1) F’32/256, (f1) F′32/256(𝐿,𝑒)

Figure 2.BM123-128 algorithm
(a2) basic cipher round (Crypt(e)) of case 2,
(b2) Q4/4,(c2) Q32/64, (d2) Q16/32, (e2) Q32/128, (f2) Q32/128(𝐿,𝑒)

Figure 3.The general structure of BM123-128

The CSPN design process in cases of the algorithm is shortly described as follows:

Weakness in the choice of F2/2 is a balanced logic function with a nonlinearity lower than the balanced logic function of F2/2, but has a higher differential characteristics (see Table 1). This yields a better avalanche effect of element than other cases, i.e. the ability to resist attacks by differential cryptanalysis of the algorithm, in this case, is also better.

Q2/1 CE shows the greatest non-linearity for y1, y2. Differential characteristics are listed in Table 1.

SDDOs:SDDOs F′32/256(𝑉,𝑒), Q32/128(𝑉,𝑒) used in the algorithm are described as in Figure 1(f1)and Figure 2(f2). The use of SDDO in the algorithm as mentioned will prevent possible weaknesses caused the only using a simple key schedule.

Also based on the results of the statistical analysis of the effects of keys and the analysis to eliminate weaknesses in related-key attacks, the key schedule of BM123-128 algorithm is designed as presented in Table 2.

Table 2. The key scheduling and lists the switch bits in BM123-128


The use of SDDO to design cipher algorithms using simple key schedule have been mentioned earlier in the studies [17-19, 27]. The use of SDDO also eliminates weak keys that may be generated due to not using complex key processes. This has been demonstrated in previous studies [8, 9].

Moreover, SDDO is built from a hybrid construction of CSPN in the design of algorithms. The hybrids will create greater space of choices that help the designers systemize the security by cipher with appropriate compromise between the security and integral efficacy of the algorithms on hardware.

 3.1. Review of differential cryptanalysis

The resistance of a block cipher against differential cryptanalysis [18, 33, 34] depends on the maximum probability of differential characteristics, which are paths from the plaintext difference to the ciphertext difference.

Two designs proposed in the article are developed on SDDO, of which SDDO is designed from hybrid CSPNs. Based on the differential characteristics of basic elements and design structure of the expansion box, we can identify differential characteristic of the algorithm in the cases of  using different SDDOs.

Figure 5. .Formation of the two-round iterative differential characteristic with the difference (L1,R0)(L0,R 1) with probability P(2)= 2-68 .

Details of the results are presented in Table 3. The results show that the proposed designs have a differential characteristic better than the majority of the known block ciphers and have been the best ones in case 1, by the differential of F2/2 elements chosen as the best ones and only after 4 rounds the design structure of the proposed algorithm can be able to resist differential cryptanalysis. However, to prevent the type of current un-predicted attacks, eight transformation rounds were used in the proposed designs.

Table 3. Security comparison of some cipher with BM123-128

3.2. Review of NESSIE test

For the purpose to check the statisticproperties of the block algorithm proposed in the article, we test it according to the method offered by the NESSIE Project (New European Schemes for Signatures, Integrity, and Encryption). In this method, we examine the statistic properties of the BM123-128 cipher corresponding to the following four pendence criteria [28]:

1. The average number of output bits changed when changing one input bit – (1);
2. The degree of completeness – (2);
3. The degree of avalanche effect – (3);
4. The degree of strict avalanche criterion – (4).

According to NESSIE standard announced [28], we have tested with 10,000 random test samples with 2 models:

Model 1: X=100; K=100, reviewing the influence of the incoming text bits on the transformed text.

Model 2: X=100; K=100, reviewing the influence of the key bits on the transformed text. Evaluating model 2 is a compelling factor for the security of the algorithm because the algorithm uses only simple key schedule without using complex key schedule but maintaining security standards.

Detailed statistical results are presented in Table 4 and Table 5 (Inthe case of a 128-bit key). The obtained results are shown after the third round, the algorithm has met the security standards required by NESSIE (for both cases of 192-bit and 256-bit keys, resulted corresponding to the third round).

Table 4.The values for criteria 1-4 (in case of 128-bit key ofcase 1)

Table 5. The values for criteria 1-4 (in case of 128-bit key ofcase 2)

3.2. Review of FPGA synthesis results and comparisons

Integral efficacy is the solution evaluating the relationship between the cost of resources in the algorithm for the encryption/decryption speed to be achieved. The integral efficacy evaluation is usually done under the two architectures described in detail in [18].

Hardware implementations of the proposed cipher are designed and coded in the VHDL language. The BM123-128 cipher is examined in hardware implementation by using iterative (IT)and pipeline (PP)architectures for XILINX FPGA Virtex Device.In the first one, only one round of BM123-128 cipher is implemented in order to decrement the required hardware resources.In a pipelined architecture where all R-rounds of the data encryption part and the key scheduling part are implemented, the required hardware resources are increased.

Due to the use of the FPGAorientedprimitives, the BM123-128 is significantly more efficient for the FPGA implementation against the majorityofthe known block ciphers. Under both architectures, the results showed that the proposed algorithm can integrate more efficiently than do other algorithms including the DDP-based ones (COBRA-H128, CIKS-1), DDO-based one (Eagle-128) and AES finalists(MARS, RC6, Rijndael, Serpent, and Twofish) [18]. In case 2, the integral efficacy is improved because the costof resources to design CE F2/1 is less than that of CE F2/2. Integral efficacy results implement the proposed algorithm on FPGA in comparison to other traditional algorithms, described in detail as in Table 6.

The comparisons are made in terms of Integral efficacy (IE). The Integral efficacy results are obtained by the following equations (two comparison models) [18]:

IE = Throughput (Mbps) / Area (#CLBs)
IE = Throughput (Mbps) / ((Area (#CLBs) × Frequency (MHz))

Table 6. FPGA Synthesis Results of BM123-128 and Comparisons

Notes: N-the number of cycles; N = 1 i.e. refers to the algorithm designed by FPGA according to iterative architecture (IT); N = Rmax means algorithm designed on FPGA by Pipeline architecture) (PP).


The main research results in the article include:

  • Analysis of the development trend of the cipher block at high speed and the challenge in the design of the cipher block algorithm in restricted
  • Proposed BM123-128 algorithm with two different specific designs. The designs use different hybrid CSPN models. The algorithm is a simple key schedule designed to help reduce the cost of the equipment when being implemented on the
  • Demonstration of the security of the proposed algorithm design under the reviews of statistical standards by NESSIE and differential
  • Proof of integral efficacy of the proposed algorithm designs with implementation efficiency on Comparison of integral efficacy of some traditional cipher algorithms which have known for better results.
  • Two designs of the proposed algorithm meet security against known attacks. The second design of the algorithm has an advantage in terms of integral efficacy, but it must accept the reduction in differential characteristics (though not significant).


The authors declare no conflict of interest.


This research was supported by the project “Research, design and fabrication of IoT gateway devices integrated for the security solution in the IoT platform and applied for the air quality monitoring pilot in Ho Chi Minh City’s Saigon High-Tech Park” (contract number 48/2018/HĐ- QKHCN).


  1. Jie Wu,(2006),Handbook on Theoretical and Algorithmic Aspects of Sensor, Ad Hoc Wireless and Peer-to-Peer Networks,Auerbach Publications Talor & Francis Group, New
  2. Razvi Doomun and KMS Soyjaudah, (2009) “Analytical Comparison of CryptographicTechniques for Resource-Constrained Wireless Security,” International Journal of Network Security, vol.9, no.1, pp.82–94.
  3. A.Moldovyan, A.A.Moldovyan, M.A.Eremeev andD.H.Summerville, (2004), “Wirelessnetworks security and cipher design based on data-dependent operations: Classification ofthe FPGA suitable controlled elements,”Proceedings of the CCCT-2004, Austin Texas,USA, pp.123–128.
  4. Moldovyan and N. Moldovyan, (2002), “A cipher based on data–dependent permutations,”Journal of Cryptology, vol. 15, pp.61–72.
  5. D.Goots, B.V.Izotov, A.A.Moldovyan and N.A.Moldovyan,(2003),Modern cryptography: Protect Your Data with Fast Block Ciphers, Wayne, A-LIST Publish.
  6. D.Goots, A.A.Moldovyan and N.A.Moldovyan, (2001),“Fast Encryption Algorithm Spectr- H64,”MMM-ACNS 2001. LNCS, vol.2052, pp.275–286.
  7. D.Goots, N.A.Moldovyan, P.A. Moldovyanu and D.H. Summerville, (2003),“Fast DDP-Based Ciphers: From Hardware to Software,”46th IEEE Midwest International Symposium on Circuits and Systems.
  8. Ko, D. Hong, S.Hong, S. Lee and J. Lim, (2003),“Linear Cryptanalysis on SPECTR-H64 with Higher Order Differential Property,”MMM-ACNS 2003. LNCS, vol.2776, pp.298–307.
  9. Ko, C. Lee, S. Hong and S. Lee, (2004),“Related Key Differential Cryptanalysis of Full-Round SPECTR-H64 and CIKS-1,”ACISP 2004. LNCS, vol.3108, pp.137–148.
  10. Lee, D. Hong, S. Lee, S. Lee, H. Yang and J. Lim, (2002),“A Chosen Plaintext Linear Attack on Block Cipher CIKS-1,”ICICS 2002. LNCS, vol.2513, pp.456–468.
  11. Ko, C. Lee, S. Hong, J. Sung and S. Lee, (2004),“Related-Key Attacks on DDP based Ciphers: CIKS-128 and CIKS-128H,”INDOCRYPT 2004. LNCS, vol.3348, pp.191–205.
  12. Lee, J. Kim, S. Hong, J. Sung andS. Lee, (2005), “Related-Key Differential Attacks on Cobra- S128, Cobra-F64a, and Cobra-F64b,”Progress in Cryptology – Mycrypt 2005. Mycrypt 2005. Lecture Notes in Computer Science, vol.3715, pp.244-262.
  13. Moldovyan, N. Moldovyan and N. Sklavos, (2004),“Minimum size primitives for efficient VLSI implementation of DDO-based ciphers,” Electrotechnical Conference, MELECON 2004, Proceedings of the 12th IEEE Mediterranean, vol.2, pp.807-810.
  14. A.Moldovyan,A.A. Moldovyan, M.A. EremeevandN. Sklavos, (2006), “New class of Cryptographic Primitives and Cipher Design for Network Security,”International Journal of Network Security,vol.2, pp.114–125.
  15. H. Minh, H.N. Duy and L.H. Dung, (2008), “Design and estimate of a new fast block cipher for wireless communication devices,” in Proceedings2008 International Conference on Advanced Technologies for Communications, pp.409-412.
  16. H. Minh, N.T Luan and L.H Dung, (2010), “KT-64: A New Block Cipher Suitable to Efficient FPGA Implementation,” International Journal of Computer Science and Network Security,vol. 10, no.1, pp.10-18.
  17. A.Moldovyan, (2008), “On Cipher Design Based on Switchable Controlled operations,”International Journal of Network Security,vol.7, pp.404–415.
  18. A.Moldovyan and A.A. Moldovyan, (2008),Data-driven Ciphers for Fast Telecommunication Systems, Auerbach Publications Taylor & Francis Group, New York.
  19. H.Minh, D.T. Bac and H.N. Duy, (2010),“New SDDO-Based Block Cipher for Wireless Sensor Network Security,”International Journal of Computer Science and Network Security,vol.10, pp.54– 60.
  20. T. Bac, N.H. Minh and H.N. Duy, (2012),“An Effective and Secure Cipher Based on SDDO,”International Journal of Computer Network and Information Security, vol.11, pp.1–10.
  21. Kang, K.Jeong, C.LeeandS. Hong, (2014),“Distinguishing attack on SDDO-based block cipher BMD-128,”In Ubiquitous Information Technologies and Applications,vol.280, pp.595–602.
  22. S.D.Phuc, C.Lee and N.Xiong, (2017),“Cryptanalysis of the XO-64 Suitable forWireless Systems,”
  23. Wireless Personal Communications, vol.93, pp.589–600.
  24. Kang, K. Jeong, S. Hong and C. Lee, (2013),“Related-key amplified boomerang attacks on KT-64 and MD-64 suitable for wireless sensor networks,” Sensor Letters, vol.11(9), pp.1765–1770.
  25. Kang, K. Jeong, S. Yeo and C. Lee, (2012), “Related-key Attack on the MD-64 Block Cipher Suitable For Pervasive Computing Enviromnent”, Proceedings of International Conference on Advance Infonmtion Networking and Application Workshops, no.26, pp.726-731.
  26. S.D. Phuc and C. Lee, (2018), “Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoTApplicationTargets,”Symmetry, 10(8), pp.1-11.
  27. T. Bacand N.H. Minh, (2013), “High-speed block cipher algorithm based on hybrid method,” Proceedings of the 8th International Conference on Ubiquitous Information Technologies and Applications (CUTE 2013), Lecture Notes in Electrical Engineering, vol.280, pp.285-291.
  28. M. Tuan, D.T. Bac, N.H. MinhandD.T. Nam, (2017), “New Block Ciphers for Wireless Moblile Netwoks. In: Advances in Information and Communication Technology,”ICTA 2016. Advances in Intelligent Systems and Computing, vol.538,pp.393-402.
  29. New European Schemes for Signatures, Integrity, and Encryption,
  30. HarshaliZodpe and Ashok Sapkal, (2018), “An efficient AES implementation using FPGA with enhanced security features,” Journal of King Saud University – Engineering Sciences, 1-8.
  31. T. BacandN.H. Minh, (2013), “A High Speed Block Cipher Algorithm,” International Journal of Security and Its Applications, vol.7, no.6, pp.43-54.
  32. Daniel G. Costa,Solenir Figuerêdo and Gledson Oliveira, (2017), “Cryptography in Wireless Multimedia Sensor Networks: A Survey and Research Directions,”Cryptography 2017, 1(1),
  33. Ahmer Khan Jadoon, Licheng Wang, Tong Li and Muhammad Azam Zia, (2018), “Lightweight Cryptographic Techniques for Automotive Cybersecurity,” Wireless Communications and Mobile Computing, Special Issue: Rethinking Authentication on Smart Mobile Devices,
  34. Lorenzo Grassi, (2017), “Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on round-reduced AES,” Cryptology ePrint Archive: Report 2017/832.
  35. Lorenzo Grassi and Christian Rechberger, (2018),“New Rigorous Analysis of Truncated Differentials for 5-round AES,” Cryptology ePrint Archive: Report 2018/182.


Minh Nguyen Hieu is a Vice Dean at the Institute of Cryptographic Science and Technology, Hanoi, Vietnam. He finished his Ph.D. at the Saint Petersburg Electrical Engineering University (2006). His research interests include cryptography, communication, and network security. He has authored or co-authored more than 85 scientific articles, book chapters, reports, and patents, in the areas of his research.


Bac DoThi is a Lecturer at the Faculty of Information Technology, Thai Nguyen University (Thainguyen,Vietnam). Her research interests include cryptography, communication, and network security. She received her Ph.D. from Le Quy Don Technical University (2014).


Canh Hoang Ngoc is a Lecturer at Thuongmai University, Hanoi, Vietnam. He received his master degree in information systems from the Le Quy Don Technical University of Vietnam in 2012. His research interests include cryptography, database, machine learning. Currently, besides teaching, he works as a network administrator and database administrator at Thuongmai University.


Manh Cong Tran got his master-degree in computer science from Le Quy Don Technical University of Vietnam in 2007. In 2017, Manh got his PhD degree from Department of Computer Science, National Defense Academy, Japan. His current research interests include network traffic classification/analysis and anomaly/malicious detection. Currently, Dr. Manh works as a researcher in Le Quy Don Technical University, Hanoi, Vietnam.

Phan Duong Phuc is a Lecturer at the Academy of Cryptography Techniques, Hanoi, Vietnam. He received his master degree in Telecommunications Engineering from Posts and Telecommunications Institute of Technology, Vietnam in 2014. His research interests include electronics, telecommunications, and cryptography.

Khoa Nguyen Tuan is a Researcher at the Research Laboratories of Saigon High-Tech Park, Ho Chi Minh City, Vietnam (SHTP Labs). His research interests include electronics, telecommunications, and cryptography.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


This entry was posted on August 13, 2020 by .
%d bloggers like this: